Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS Regex Header Allow-Credentials Bug #43736

Closed
GeorgeDanicico opened this issue Oct 6, 2024 · 4 comments · Fixed by #44054
Closed

CORS Regex Header Allow-Credentials Bug #43736

GeorgeDanicico opened this issue Oct 6, 2024 · 4 comments · Fixed by #44054
Labels
area/security kind/bug Something isn't working
Milestone
3.18.0.CR1

Comments

@GeorgeDanicico
Copy link

GeorgeDanicico commented Oct 6, 2024
edited
Loading

Describe the bug

When using regex for CORS origins, it seems that when there is a match between the regex and the Origin, it seems that Access-Control-Allow-Credentials header is false, and according to the documentation it should be true. Am I missing something? This can be fixed by declaring the property, but I was just curious if it is a bug.

Expected behavior

The header Access-Control-Allow-Credentials should be true when the regex matches the Origins.

Actual behavior

If the property quarkus.http.cors.access-control-allow-credentials is not mentioned and if the regex matches the origin, the header's value is false.

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@GeorgeDanicico GeorgeDanicico added the kind/bug Something isn't working label Oct 6, 2024
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Oct 6, 2024

/cc @pedroigor (bearer-token)

@gsmet
Copy link
Member

gsmet commented Oct 10, 2024

Any chance you could prepare a small Maven reproducer for the issue? You can attach it as a zip to your description or comment. Thanks!

@GeorgeDanicico
Copy link
Author

Sure. I have created the zip. I also attached some images with the curls. In the first image, the cors.origins is set to https://app.mydomain.com and in the second image it is set to /https://\\.*mydomain\\\\.com/
Image
Image
issue.zip

@gsmet
Copy link
Member

gsmet commented Oct 23, 2024

Thanks for the reproducer. From what I can see, it looks like an oversight. I'm working on a patch.

gsmet added a commit to gsmet/quarkus that referenced this issue Oct 23, 2024
@gsmet
Take regexps into account when setting access-control-allow-credentials
599fd93 
We used to only consider exact matches which looks like an oversight.

Fixes quarkusio#43736
@gsmet gsmet mentioned this issue Oct 23, 2024
Merged
@gsmet gsmet closed this as completed in c3b729e Nov 25, 2024
@quarkus-bot quarkus-bot bot added this to the 3.18 - main milestone Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/bug Something isn't working
Projects
None yet
Milestone
3.18.0.CR1
Development

Successfully merging a pull request may close this issue.

Take regexps into account when setting access-control-allow-credentials gsmet/quarkus
3 participants
@sberyozkin @gsmet @GeorgeDanicico